The bug goes like this: https://mega.co.nz/#!your_file_here!decryption_key In Firefox when you have Javascript disabled via the option or using an add-on like NoScript it will redirect you to: https://mega.co.nz/?_escaped_fragment_=your_file_here!decryp...
So MEGA will recieve the HTTP Request with $_GET['_escaped_fragment_'] containing your decryption key. So if you send a file to a friend who happens to not have Javascript enabled for the website it will reveal the decryption key to MEGA.
To fix the issue all MEGA needs to do is add a double hash like: https://mega.co.nz/##!your_file_here!decryption_key this redirects to https://mega.co.nz/#?_escaped_fragment_=your_file_here!decry... keeping your decryption key safe even if they forget to use Javascript.